Google's Project Zero has disclosed a severe vulnerability in Dolby's DDPlus Unified Decoder that becomes a zero-click exploit on Android devices. Attackers can compromise Android phones without any user interaction—simply by sending a malicious audio message.
The flaw, tracked as CVE-2025-54957, exists in the Dolby decoder itself, but becomes zero-click specifically on Android due to how the platform automatically decodes all incoming audio messages and attachments for transcription.
When processing specially crafted audio files, an out-of-bounds write occurs during evolution data parsing, potentially allowing attackers to execute malicious code in the mediacodec context.
How the Attack Works
The vulnerability stems from an integer overflow in the decoder's length calculation when processing evolution information. This causes the allocated buffer to be undersized, making subsequent bounds checks ineffective and allowing memory corruption.
On Android, attackers can trigger the flaw by sending a weaponized audio file through messaging apps that support RCS (Rich Communication Services), with the device automatically processing it without user interaction.
Google researchers successfully achieved zero-click code execution on a Pixel 9 device, demonstrating Android's unique exposure. While the Dolby decoder bug exists across multiple platforms—including MacBooks, iPhones, and ChromeOS—the zero-click attack vector is specifically an Android issue. On other platforms, the bug may require user interaction (like manually playing a file) or may not be exploitable at all due to pre-processing security checks.
Widespread Impact Across Platforms
While the zero-click vector is Android-specific, the underlying Dolby decoder vulnerability affects devices across the technology ecosystem. Google researchers confirmed crashes on Pixel 9, Samsung S24, MacBook Air M1, and iPhone 17 Pro devices.
Microsoft has issued its own advisory, while ChromeOS quietly patched the flaw in a September update. However, the exploitability varies significantly—what's a zero-click threat on Android may require user interaction or be completely mitigated on other platforms.
"We investigated the exploitability of this bug on Android, and have achieved 0-click code execution," Project Zero researchers stated in their disclosure.
Protection and Patches
The 90-day disclosure deadline ended September 25, 2025, with fixes now available. Android users should immediately update to the latest security patches. ChromeOS users received fixes in the September 18 stable channel update, while Microsoft has published guidance for Windows systems.
The vulnerability highlights the growing threat of zero-click attacks on Android, where automatic background processing creates attack surfaces that bypass user interaction entirely, making timely security updates more critical than ever.